b"AUDIT OF COMPLIANCE WITH STANDARDS GOVERNING\n COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n   OHIO BUREAU OF CRIMINAL IDENTIFICATION\n              AND INVESTIGATION\n                LONDON, OHIO\n\n\n           U.S. Department of Justice\n         Office of the Inspector General\n                  Audit Division\n\n\n          Audit Report GR-50-11-007\n               September 2011\n\x0c AUDIT OF COMPLIANCE WITH STANDARDS GOVERNING COMBINED\n            DNA INDEX SYSTEM ACTIVITIES AT THE\n          OHIO BUREAU OF CRIMINAL IDENTIFICATION\n                    AND INVESTIGATION\n                      LONDON, OHIO\n\n                               EXECUTIVE SUMMARY\n\n      The Department of Justice, Office of the Inspector General, Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the Ohio Bureau of\nCriminal Identification and Investigation Laboratory (Laboratory) in London,\nOhio.\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS program combines\nforensic science and computer technology to provide an investigative tool to\nfederal, state, and local crime laboratories in the United States, as well as\nthose from select international law enforcement agencies. The CODIS\nprogram allows these crime laboratories to compare and match DNA profiles\nelectronically to assist law enforcement in solving crimes and identifying\nmissing or unidentified persons. 1 The FBI\xe2\x80\x99s CODIS Unit manages CODIS, as\nwell as develops, supports, and provides the program to crime laboratories\nto foster the exchange and comparison of forensic DNA evidence.\n\n      The FBI implemented CODIS as a distributed database with\nhierarchical levels that enable federal, state, and local crime laboratories to\ncompare DNA profiles electronically. The hierarchy consists of three distinct\nlevels that flow upward from the local level to the state level and then, if\nallowable, the national level. The National DNA Index System (NDIS), the\nhighest level in the hierarchy, is managed by the FBI as the nation\xe2\x80\x99s DNA\ndatabase containing DNA profiles uploaded by law enforcement agencies\nacross the United States. NDIS enables the laboratories participating in the\nCODIS program to electronically compare DNA profiles on a national level.\nThe State DNA Index System (SDIS) is used at the state level to serve as a\nstate\xe2\x80\x99s DNA database containing DNA profiles from local laboratories and\n\n\n       1\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\x0cstate offenders. The Local DNA Index System (LDIS) is used by local\nlaboratories.\n\nOIG Audit Objectives\n\n      Our audit generally covered the period from October 2008 through\nOctober 2010. The objectives of our audit were to determine if: (1) the\nLaboratory was in compliance with the NDIS participation requirements;\n(2) the Laboratory was in compliance with the Quality Assurance Standards\n(QAS) issued by the FBI; and (3) the Laboratory\xe2\x80\x99s forensic DNA profiles in\nCODIS databases were complete, accurate, and allowable for inclusion in\nNDIS.\n\n      Our review determined the following.\n\n      \xe2\x80\xa2   The Laboratory complied with the NDIS participation requirements\n          we reviewed. Specifically, we found that the Laboratory maintained\n          adequate security over its facilities and CODIS servers, submitted\n          the required background information on CODIS users to the FBI,\n          kept records showing CODIS users were properly trained, and were\n          timely in resolving the NDIS matches we reviewed.\n\n      \xe2\x80\xa2   The Laboratory generally complied with the QAS we reviewed.\n          Specifically, we found that the Laboratory had adequate laboratory\n          security policies and conducted annual site visits of its contracted\n          laboratory.\n\n      \xe2\x80\xa2   We reviewed 100 of the 4,510 forensic profiles the Laboratory had\n          uploaded to NDIS as of September 22, 2010. Of the 100 forensic\n          profiles sampled, 4 were unallowable for inclusion in NDIS. The\n          profiles were either missing supporting information to prove they\n          were allowable for upload to NDIS, belonged to the victim, or could\n          not be connected to the crime scene. The Laboratory removed all\n          four profiles from NDIS. Because all four unallowable profiles were\n          processed by the Laboratory prior to December 2003, it appears the\n          Laboratory is now following procedures to prevent entry of\n          unallowable profiles into CODIS. The remaining 96 profiles we\n          reviewed were complete, accurate, and allowable for inclusion in\n          NDIS.\n\n      The results of our audit are discussed in detail in the findings section\nof the report. Our audit objectives, scope, and methodology are detailed in\nAppendix I of the report, and the audit criteria are detailed in Appendix II.\n\n\n\n                                      - ii -\n\x0c      We discussed the results of our audit with Laboratory officials and\nhave included their comments in the report as applicable.\n\n\n\n\n                                    - iii -\n\x0c                                TABLE OF CONTENTS\n\n\nINTRODUCTION ................................................................................ 1\n   Background ..................................................................................... 1\n   OIG Audit Objectives ........................................................................ 1\n   Legal Foundation for CODIS ............................................................... 1\n   CODIS Structure .............................................................................. 2\n   Laboratory Information ..................................................................... 6\n\nFINDINGS AND RECOMMENDATIONS................................................ 7\n   I.    Compliance with NDIS Participation Requirements .......................... 7\n   II.   Compliance with the Quality Assurance Standards .......................... 9\n   III. Suitability of Forensic DNA Profiles in CODIS Databases................ 12\n\nAPPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY ............... 15\n\nAPPENDIX II: AUDIT CRITERIA ..................................................... 18\n   NDIS Participation Requirements ...................................................... 18\n   Quality Assurance Standards ........................................................... 18\n   Office of the Inspector General Standards ......................................... 20\n\nAPPENDIX III: AUDITEE RESPONSE .............................................. 18\n\nAPPENDIX IV: FEDERAL BUREAU OF INVESTIGATION\n                RESPONSE ......................................................... 22\n\x0c                                 INTRODUCTION\n\n\n      The Department of Justice, Office of the Inspector General, Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the Ohio Bureau of\nCriminal Identification and Investigation Laboratory (Laboratory) in London,\nOhio.\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS provides an\ninvestigative tool to federal, state, and local crime laboratories in the United\nStates using forensic science and computer technology. The CODIS program\nallows these laboratories to compare and match DNA profiles electronically,\nthereby assisting law enforcement in solving crimes and identifying missing\n                         2\nor unidentified persons. The FBI\xe2\x80\x99s CODIS Unit manages CODIS and is\nresponsible for its use in fostering the exchange and comparison of forensic\nDNA evidence.\n\nOIG Audit Objectives\n\n       Our audit generally covered the period from November 2008 through\nOctober 2010. The objectives of our audit were to determine if: (1) the\nLaboratory was in compliance with the National DNA Index System (NDIS)\nparticipation requirements; (2) the Laboratory was in compliance with the\nQuality Assurance Standards (QAS) issued by the FBI; and (3) the\nLaboratory\xe2\x80\x99s forensic DNA profiles in CODIS databases were complete,\naccurate, and allowable for inclusion in NDIS. Appendix I contains a detailed\ndescription of our audit objectives, scope, and methodology, while the\ncriteria used to conduct our audit are presented in Appendix II.\n\nLegal Foundation for CODIS\n\n      The FBI began the CODIS program as a pilot project in 1990. The\nDNA Identification Act of 1994 (Act) authorized the FBI to establish a\nnational index of DNA profiles for law enforcement purposes. The Act, along\n\n\n       2\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\x0cwith subsequent amendments, has been codified in a federal statute\n(Statute) providing the legal authority to establish and maintain NDIS. 3\n\nAllowable DNA Profiles\n\n      The Statute authorizes NDIS to contain the DNA identification records\nof persons convicted of crimes, persons who have been charged in an\nindictment or information with a crime, and other persons whose DNA\nsamples are collected under applicable legal authorities. Samples voluntarily\nsubmitted solely for elimination purposes are not authorized for inclusion in\nNDIS. The Statute also authorizes NDIS to include analysis of DNA samples\nrecovered from crime scenes or from unidentified human remains, as well as\nthose voluntarily contributed from relatives of missing persons.\n\nAllowable Disclosure of DNA Profiles\n\n       The Statute requires that NDIS only include DNA information that is\nbased on analyses performed by or on behalf of a criminal justice agency \xe2\x80\x93\nor the U.S. Department of Defense \xe2\x80\x93 in accordance with QAS issued by the\nFBI. The DNA information in the index is authorized to be disclosed only:\n(1) to criminal justice agencies for law enforcement identification purposes;\n(2) in judicial proceedings, if otherwise admissible pursuant to applicable\nstatutes or rules; (3) for criminal defense purposes, to a defendant who shall\nhave access to samples and analyses performed in connection with the case\nin which the defendant is charged; or (4) if personally identifiable\ninformation (PII) is removed for a population statistics database, for\nidentification research and protocol development purposes, or for quality\ncontrol purposes.\n\nCODIS Structure\n\n       The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. CODIS consists of a hierarchy of three\ndistinct levels: (1) NDIS is managed by the FBI as the nation\xe2\x80\x99s DNA\ndatabase containing DNA profiles uploaded by participating states, (2) the\nState DNA Index System (SDIS) is used at the state level to serve as a\nstate\xe2\x80\x99s DNA database containing DNA profiles from local laboratories within\nthe state and state offenders, and (3) the Local DNA Index System (LDIS) is\nused by local laboratories. DNA profiles originate at the local level and then\nflow upward to the state and, if allowable, national level. For example, the\nlocal laboratory in the Palm Beach County, Florida, Sheriff\xe2\x80\x99s Office sends its\n\n      3\n          42 U.S.C.A. \xc2\xa7 14132 (2006).\n\n\n                                        -2-\n\x0cprofiles to the state laboratory in Tallahassee, which then uploads the\nprofiles to NDIS. Each state participating in CODIS has one designated SDIS\nlaboratory. The SDIS laboratory maintains its own database and is\nresponsible for overseeing NDIS issues for all CODIS-participating\nlaboratories within the state. The graphic below presents an example of how\nthe system hierarchy works.\n\n                 Example of System Hierarchy within CODIS\n\n                                              NDIS\n                                   Maintained by the FBI\n\n\n\n\nSDIS                            SDIS                             SDIS\nLaboratory                      Laboratory                       Laboratory\nRichmond, CA                    Springfield, IL                  Tallahassee, FL\n\n\n\n                                  LDIS Laboratories (partial list):\n                                  DuPage County Sheriff\xe2\x80\x99s Office\n                                  Illinois State Police, Chicago\n                                  Illinois State Police, Rockford\n\n LDIS Laboratories (partial list):                       LDIS Laboratories (partial list):\n Orange County Sheriff\xe2\x80\x99s Department                      Broward County Sheriff\xe2\x80\x99s Office\n San Bernardino County Sheriff\xe2\x80\x99s Department              Miami-Dade Police Department\n San Diego Police Department                             Palm Beach County Sheriff\xe2\x80\x99s Office\n\n\n\nNational DNA Index System\n\n      NDIS is the highest level in the CODIS hierarchy and enables the\nlaboratories participating in the CODIS program to electronically compare\nDNA profiles on a national level. NDIS does not contain names or other PII\nabout the profiles. Therefore, matches are resolved through a system of\nlaboratory-to-laboratory contacts. Within NDIS are seven searchable indices\ndiscussed below.\n\n      \xe2\x80\xa2   Convicted Offender Index contains profiles generated from persons\n          convicted of qualifying offenses. 4\n\n\n      4\n        The phrase \xe2\x80\x9cqualifying offenses\xe2\x80\x9d is used here to refer to local, state, or federal\n crimes that require a person to provide a DNA sample in accordance with applicable laws.\n\n\n\n                                              -3-\n\x0c      \xe2\x80\xa2   Arrestee Index is comprised of profiles developed from persons who\n          have been arrested, indicted, or charged in an information with a\n          crime.\n\n      \xe2\x80\xa2   Legal Index consists of profiles that are produced from DNA\n          samples collected from persons under other applicable legal\n          authorities. 5\n\n      \xe2\x80\xa2   Forensic Index profiles originate from, and are associated with,\n          evidence found at crime scenes.\n\n      \xe2\x80\xa2   Missing Person Index contains known DNA profiles of missing\n          persons and deduced missing persons.\n\n      \xe2\x80\xa2   Unidentified Human (Remains) Index holds profiles from\n          unidentified living individuals and the remains of unidentified\n          deceased individuals. 6\n\n      \xe2\x80\xa2   Relatives of Missing Person Index is comprised of DNA profiles\n          generated from the biological relatives of individuals reported\n          missing.\n\n      Although CODIS is comprised of multiple indices or databases, the two\nmain functions of the system are to: (1) generate investigative leads that\nmay help in solving crimes, and (2) identify missing and unidentified\npersons.\n\n       The Forensic Index generates investigative leads in CODIS that may\nhelp solve crimes. Investigative leads may be generated through matches\nbetween the Forensic Index and other indices in the system, including the\nConvicted Offender, Arrestee, and Legal Indices. These matches may\nprovide investigators with the identity of suspected perpetrators. CODIS\nalso links crime scenes through matches between Forensic Index profiles,\npotentially identifying serial offenders.\n\n      In addition to generating investigative leads, CODIS furthers the\nobjectives of the FBI\xe2\x80\x99s National Missing Person DNA Database program\nthrough its ability to identify missing and unidentified individuals. Those\npersons may be identified through matches between indices in CODIS, such\n\n      5\n        An example of a Legal Index profile is one from a person found not guilty by\n reason of insanity who is required by the relevant state law to provide a DNA sample.\n      6\n         An example of an Unidentified Human (Remains) Index profile from a living person\n is a profile from a child or other individual who cannot or refuses to identify themselves.\n\n\n                                          -4-\n\x0cas through matches between the profiles in the Missing Persons Index and\nthe Unidentified Human (Remains) Index. Identifications may also be\ngenerated through matches between the Unidentified Human (Remains)\nIndex and the Relatives of Missing Persons Index. The profiles within the\nMissing Persons and Unidentified Human (Remains) Indices may also be\nvetted against the Forensic, Convicted Offender, Arrestee, and Legal Indices\nto provide investigators with leads in solving missing and unidentified\npersons cases.\n\nState and Local DNA Index System\n\n       The FBI provides CODIS software free of charge to any state or local\nlaw enforcement laboratory performing DNA analysis. Laboratories are able\nto use the CODIS software to upload profiles to NDIS. However, before a\nlaboratory is allowed to participate at the national level and upload DNA\nprofiles to NDIS, a Memorandum of Understanding (MOU) must be signed\nbetween the FBI and the applicable state\xe2\x80\x99s SDIS laboratory. The MOU\ndefines the responsibilities of each party, includes a sublicense for the use of\nCODIS software, and delineates the standards laboratories must meet in\norder to utilize NDIS. Although officials from LDIS laboratories do not sign\nan MOU, LDIS laboratories that upload DNA profiles to an SDIS laboratory\nare required to adhere to the MOU signed by the SDIS laboratory.\n\n       States are authorized to upload DNA profiles to NDIS based on local,\nstate, and federal laws, as well as NDIS regulations. However, states or\nlocalities may maintain NDIS-restricted profiles in SDIS or LDIS. For\ninstance, a local law may allow for the collection and maintenance of a\nvictim profile at LDIS, but NDIS regulations do not authorize the upload of\nthat profile to the national level.\n\n      The utility of CODIS relies upon the completeness, accuracy, and\nquantity of profiles that laboratories upload to the system. Incomplete\nCODIS profiles are those for which the required number of core loci were not\ntested or do not contain all of the DNA information that resulted from a DNA\nanalysis and may not be searched at NDIS. 7 The probability of a false match\namong DNA profiles is reduced as the completeness of a profile increases.\nInaccurate profiles, which contain incorrect DNA information or an incorrect\nspecimen number, may generate false positive leads, false negative\ncomparisons, or lead to the misidentification of a sample. CODIS becomes\nmore useful as the quantity of DNA profiles in the system increases because\nthe potential for additional leads rises. However, laws and regulations\nexclude certain types of profiles from being uploaded to CODIS to prevent\n\n      7\n          A \xe2\x80\x9clocus\xe2\x80\x9d is a specific location on a chromosome. The plural form of locus is loci.\n\n\n                                             -5-\n\x0cviolations to an individual\xe2\x80\x99s privacy and foster the public\xe2\x80\x99s confidence in\nCODIS. Therefore, it is the responsibility of the Laboratory to ensure that it\nis adhering to the NDIS participation requirements and the profiles uploaded\nto CODIS are complete, accurate, and allowable for inclusion in NDIS.\n\nLaboratory Information\n\n      The audited Laboratory participates in the CODIS program as both a\nState DNA Index System Laboratory and Local DNA Index System\nLaboratory. The Laboratory began using DNA to process criminal cases in\n1997 and started uploading profiles to NDIS in 2001. The Laboratory\nperforms analysis on both convicted offender and forensic samples.\nHowever, our audit focused on the analysis of forensic profiles. The\nLaboratory contracted with an outside laboratory for the analysis of forensic\nsamples; from 2008 through 2010, 2,807 profiles were outsourced for\nanalysis. We verified that the Laboratory received its last accreditation by\nthe American Society of Crime Laboratory Directors/ Laboratory\nAccreditation Board (ASCLD/LAB) in 2007 and will be eligible for\nreaccreditation in 2012.\n\n\n\n\n                                     -6-\n\x0c                FINDINGS AND RECOMMENDATIONS\n\n\n      I. Compliance with NDIS Participation Requirements\n\n      The Laboratory complied with the NDIS participation\n      requirements we reviewed.\n\n      The NDIS participation requirements, which consist of the MOU and\nthe NDIS Procedure Manual, establish the responsibilities and obligations of\nlaboratories that participate in the CODIS program at the national level. The\nMOU describes the CODIS-related responsibilities of both the Laboratory and\nthe FBI. The NDIS Procedure Manual is comprised of the NDIS operational\nprocedures and provides detailed instructions for laboratories to follow when\nperforming certain procedures pertinent to NDIS. The NDIS participation\nrequirements we reviewed are listed in Appendix II of this report.\n\nResults of the OIG Audit\n\n      We found that the Laboratory complied with the NDIS participation\nrequirements we reviewed. Specifically, we found that the Laboratory\nmaintained adequate security over its facilities and CODIS servers,\nsubmitted the required background information on CODIS users to the FBI,\nkept records showing CODIS users were properly trained, and were timely in\nresolving the NDIS matches we reviewed. The results of our audit are\ndescribed in more detail below.\n\n      \xe2\x80\xa2   We interviewed the Backup CODIS Administrator and conducted a\n          walk-through tour of the building and the Laboratory. 8 We\n          identified no significant concerns regarding the Laboratory\xe2\x80\x99s\n          procedures for securing the CODIS server or the Laboratory\xe2\x80\x99s\n          facilities.\n\n      \xe2\x80\xa2   We interviewed the CODIS Administrator to determine that\n          appropriate staff have received a copy of the NDIS procedures\n          manual and measures have been taken to ensure personnel\n          understand and abide by the manual. We also interviewed two\n          CODIS users and determined that they understood NDIS\n          procedures and could access the procedures via the Laboratory\xe2\x80\x99s\n          online system.\n\n\n      8\n         We interviewed the Backup CODIS Administrator because the CODIS Administrator\nwas out of the office at the time of our audit.\n\n\n                                        -7-\n\x0c     \xe2\x80\xa2   We verified with the FBI that all Laboratory CODIS users have\n         completed the 2010 DNA Records Acceptable at NDIS training.\n\n     \xe2\x80\xa2   The Laboratory is required to submit certain background and\n         security information to the FBI for each CODIS user. We verified\n         that the Laboratory submitted the required information to the FBI.\n\n     \xe2\x80\xa2   We interviewed the Laboratory\xe2\x80\x99s Quality Assurance Coordinator and\n         determined the Laboratory was in compliance with NDIS\n         requirements for the maintenance of personnel records.\n\n     \xe2\x80\xa2   We reviewed a sample of 10 NDIS matches and determined that\n         each match was confirmed by the Laboratory in a timely manner,\n         and when applicable, the investigators were notified.\n\nConclusion\n\n       We found the Laboratory to be in compliance with all areas of NDIS\nparticipation requirements that we reviewed. We made no\nrecommendations concerning our review of NDIS participation requirements.\n\n\n\n\n                                    -8-\n\x0c       II. Compliance with the Quality Assurance Standards\n\n       The Laboratory complied with the Forensic Quality Assurance\n       Standards we reviewed.\n\n       During our audit, we considered the Forensic Quality Assurance\nStandards (QAS) issued by the FBI. 9 These standards describe the quality\nassurance requirements that the Laboratory must follow to ensure the\nquality and integrity of the data it produces. We also assessed the most\nrecent QAS review that the laboratory underwent. 10 The QAS we reviewed\nare listed in Appendix II.\n\nResults of the OIG Audit\n\n     We found that the Laboratory complied with the Forensic QAS tested.\nThese results are described in more detail below.\n\n       \xe2\x80\xa2    The Laboratory underwent a QAS review in each of the last\n            2 calendar years as required by the QAS for laboratory reviews. In\n            May 2010, the Laboratory underwent a QAS review by internal\n            reviewers. In March 2009, the laboratory underwent a QAS review\n            by external reviewers.\n\n       \xe2\x80\xa2    We reviewed the most recent QAS reports provided by the\n            Laboratory\xe2\x80\x99s Quality Assurance Coordinator. The FBI\xe2\x80\x99s QAS Review\n            Document was used to conduct both the internal and external\n            reviews. We contacted the FBI and verified that at least one\n            reviewer on the internal and external audit teams had successfully\n            completed the FBI QAS Review training course. The reviewers\n            reported two instances of non-compliance in the 2009 external\n            report and three instances of non-compliance in the 2010 internal\n            report. According to the 2009 external review report, the\n            Laboratory failed to follow documented procedures that minimize\n            loss contamination and/or deleterious change of evidence, and the\n\n       9\n         Forensic Quality Assurance Standards refers to the Quality Assurance Standards\nfor Forensic DNA Testing Laboratories, effective July 1, 2009.\n\n       10\n            The QAS require that laboratories undergo annual audits. Every other year, the\nQAS requires that the audit be performed by an external agency that performs DNA\nidentification analysis and is independent of the laboratory being reviewed. These audits\nare not required by the QAS to be performed in accordance with the Government Auditing\nStandards (GAS) and are not performed by the Department of Justice Office of the\nInspector General. Therefore, we will refer to the QAS audits as reviews (either an internal\nlaboratory review or an external laboratory review, as applicable) to avoid confusion with\nour audits that are conducted in accordance with GAS.\n\n\n                                           -9-\n\x0c    Laboratory failed to follow written procedures for taking corrective\n    action whenever proficiency testing discrepancies and/or casework\n    errors were detected. According to the 2010 internal review report,\n    the Laboratory failed to follow written procedures for cleaning and\n    decontaminating facilities and equipment, failed to follow written\n    analytical procedures approved by the technical leader, and failed\n    to follow a documented program for conducting performance checks\n    and calibrating equipment and instruments. We reviewed the\n    corrective action taken by the Laboratory and determined that it\n    established procedures as appropriate and adequately addressed\n    the 2009 external and 2010 internal QAS reviewers\xe2\x80\x99 findings.\n\n\xe2\x80\xa2   The QAS require that the Laboratory submit external QAS review\n    reports to the NDIS Custodian within 30 days of the Laboratory\n    receiving them. The Laboratory\xe2\x80\x99s Quality Assurance Coordinator\n    stated that the latest external review report was submitted to the\n    NDIS Custodian within 30 days of the report\xe2\x80\x99s issuance. However,\n    the Laboratory did not maintain documentation of when it received\n    the report. We reviewed the latest external review reports dated\n    April 2008 and March 2009 and contacted the NDIS Audit Review\n    Panel to determine when the reports were received by the NDIS\n    Custodian. We found that the two latest reports were received in\n    November 2008 and July 2009, respectively. However, because the\n    Laboratory did not have a record of when it received the reports,\n    we were not able to verify compliance with the 30 day standard.\n\n\xe2\x80\xa2   During our audit, we reviewed the prior years\xe2\x80\x99 audit reports to\n    ensure there were no repeat findings. We found that one finding in\n    the 2010 internal review report was also a finding in the 2008\n    external report. We reviewed the corrective action taken to resolve\n    this finding related to conducting performance checks and\n    calibrating equipment and instruments and found that the\n    Laboratory contested the finding in the 2008 external report. The\n    Laboratory addressed this same finding in the 2010 internal report\n    and took corrective action by specifying a standard set of check\n    logs and responsibilities. Upon reviewing the corrective action\n    taken by the Laboratory, we found that the Laboratory adequately\n    addressed the external and internal QAS reviewers\xe2\x80\x99 findings.\n\n\xe2\x80\xa2   We asked the reviewer who conducted the most recent external\n    QAS review to certify that she had no impairments to her\n    independence. The QAS reviewer provided us with this certification.\n\n\n\n\n                              - 10 -\n\x0c     \xe2\x80\xa2   We toured the Laboratory building and interviewed the Backup\n         CODIS Administrator, and we determined that the facility appeared\n         to have adequate physical access controls in place.\n\n     \xe2\x80\xa2   We interviewed the Backup CODIS Administrator and reviewed\n         written policies to determine that the Laboratory appeared to have\n         adequate procedures in place to ensure the integrity of physical\n         evidence.\n\n     \xe2\x80\xa2   We interviewed the Backup CODIS Administrator and reviewed\n         policies and practices regarding the separation of known and\n         unknown samples during the analysis process. We determined that\n         the policies and procedures appeared to be adequate.\n\n     \xe2\x80\xa2   We interviewed the Laboratory\xe2\x80\x99s Quality Assurance Coordinator and\n         reviewed applicable procedures, and we determined that the\n         Laboratory appeared to be in compliance with standards governing\n         the retention of samples after analysis.\n\n     \xe2\x80\xa2   We contacted Laboratory officials and found that although the\n         Laboratory is not currently outsourcing the analysis of profiles, the\n         Laboratory did outsource the analysis of profiles during the past 2\n         years. We obtained the contracted laboratory\xe2\x80\x99s latest QAS review\n         and accreditation materials and found no instances of\n         noncompliance.\n\n     \xe2\x80\xa2   We interviewed the Laboratory\xe2\x80\x99s Quality Assurance Coordinator and\n         determined that the Laboratory has procedures requiring review of\n         100 percent of outsourced work, including raw data and values of\n         loci.\n\n     \xe2\x80\xa2   We interviewed the Laboratory\xe2\x80\x99s Quality Assurance Coordinator and\n         reviewed the Laboratory\xe2\x80\x99s site visit reports and confirmed that the\n         Laboratory had performed annual site visits of a laboratory to which\n         it outsourced the analysis of some DNA samples.\n\nConclusion\n\n     We made no recommendations concerning our review of Quality\nAssurance Standards.\n\n\n\n\n                                    - 11 -\n\x0c      III. Suitability of Forensic DNA Profiles in CODIS Databases\n\n      Of the 100 forensic profiles we reviewed, 96 profiles were\n      complete, accurate, and allowable for inclusion in NDIS. We\n      identified four profiles that were not allowable for inclusion in\n      NDIS. The profiles were either missing supporting information to\n      sustain their allowability in NDIS, belonged to the victim, or\n      could not be connected to the crime scene.\n\n       We reviewed a sample of the Laboratory\xe2\x80\x99s forensic DNA profiles to\ndetermine whether each profile was complete, accurate, and allowable for\ninclusion in NDIS. 11 To test the completeness and accuracy of each profile,\nwe established standards that require a profile include all the loci for which\nthe analyst obtained results and that the values at each locus match those\nidentified during analysis. Our standards are described in more detail in\nAppendix II of this report.\n\n       The NDIS operational procedures establish the DNA data acceptance\nstandards by which laboratories must abide. These procedures prohibit a\nlaboratory from uploading forensic profiles to NDIS that clearly match the\nDNA profile of the victim or another known person, unless the known person\nis a suspected perpetrator. The NDIS procedures we reviewed are listed in\nAppendix II of this report.\n\nResults of the OIG Audit\n\n       We selected a random sample of 100 profiles out of the 4,510 forensic\nprofiles the Laboratory had uploaded to NDIS as of September 22, 2010. Of\nthe 100 forensic profiles sampled, we found 4 were unallowable for upload to\nNDIS. The remaining 96 profiles sampled were complete, accurate, and\nallowable for inclusion in NDIS. The specific exceptions we identified are\nexplained in more detail below.\n\nOIG Sample Number CA-25\n\n      The Laboratory was unable to provide information on Sample\nNumber CA-25; thus we were unable to determine the allowability,\ncompleteness, and accuracy of this profile. According to the CODIS\nAdministrator, Sample Number CA-25 was from a rape case from 1990. In\nprior years, the Laboratory\xe2\x80\x99s procedures for this type of crime required that\n\n\n      11\n         When a laboratory's universe of DNA profiles in NDIS exceeds 1,500, our sample\n is taken from SDIS rather than directly from NDIS. See Appendix I for further description\n of the sample selection.\n\n\n                                         - 12 -\n\x0cthe case be purged after 10 years in the system. All case notes and crime-\nrelated information on the case were destroyed, and thus there is insufficient\ndocumentation to support the profile\xe2\x80\x99s inclusion in NDIS. The CODIS\nAdministrator stated that in recent years the Laboratory implemented\nretention procedures to ensure case notes and related information for rape\ncases that are entered into CODIS are not destroyed. The Laboratory now\nmarks the case file for all CODIS rape cases with a checkmark to ensure\nsupporting documentation is not destroyed after the 10-year period. Once\nwe informed the Laboratory of the issue related to sample CA-25, the\nLaboratory deleted the profile from CODIS.\n\nOIG Sample Number CA-62\n\n      Sample Number CA-62 was taken from a pillow belonging to a victim.\nInformation in the case file did not indicate that a crime had occurred and\nthat an elimination standard was taken from the victim. We informed the\nLaboratory of this issue and the Laboratory deleted this profile from CODIS.\n\nOIG Sample Number CA-71\n\n       According to the accompanying police report, sample Number CA-71\nwas taken from money \xe2\x80\x9ccirculating\xe2\x80\x9d at a store near a crime scene. The\npolice report also indicated that the suspect may have brought the money\ninto the store. Although the specimen did not come from a crime scene, it\nwas entered into CODIS. We informed the Laboratory of this issue, and the\nLaboratory deleted this profile from CODIS.\n\nOIG Sample Number CA-93\n\n      According to case file information, sample CA-93 was taken from the\n\xe2\x80\x9cclothing of a suspect.\xe2\x80\x9d The information in the case file did not indicate that\nthe specimen was collected from a crime scene. The profile had been\ntechnically reviewed for accuracy and was otherwise complete. However, it\nshould not have been uploaded because there was not sufficient information\nto indicate that the specimen came from the crime scene. We informed the\nLaboratory of this issue, and the Laboratory deleted this profile from CODIS.\n\nConclusion\n\n       Out of the 100 profiles we reviewed four were unallowable for inclusion\nin NDIS. The remaining profiles were complete, accurate, and allowable for\ninclusion in NDIS. All four of the unallowable profiles in our sample were\nprocessed by the Laboratory prior to December 2003. The Backup CODIS\nAdministrator explained that early on when NDIS was a new tool, the\n\n\n                                    - 13 -\n\x0cLaboratory uploaded nearly everything into the system. It appears that the\nLaboratory has revised its procedures to ensure only allowable profiles are\nentered into CODIS. We made no recommendations concerning our review\nof Forensic DNA profiles.\n\n\n\n\n                                   - 14 -\n\x0c                                                                             APPENDIX I\n\n              OBJECTIVES, SCOPE, AND METHODOLOGY\n\n\n      We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n      Our audit generally covered the period from November 2008 through\nOctober 2010. The objectives of the audit were to determine if the:\n(1) Laboratory was in compliance with the NDIS participation requirements;\n(2) Laboratory was in compliance with the Quality Assurance Standards\n(QAS) issued by the FBI; and (3) Laboratory\xe2\x80\x99s forensic DNA profiles in\nCODIS databases were complete, accurate, and allowable for inclusion in\nNDIS. To accomplish the objectives of the audit, we:\n\n       \xe2\x80\xa2    Examined internal and external Laboratory review reports and\n            supporting documentation for corrective action taken, if any, to\n            determine: (a) if the Laboratory complied with the QAS, (b) whether\n            repeat findings were identified, and (c) whether recommendations\n            were adequately resolved.12\n\n            In accordance with the QAS, the internal and external laboratory\n            review procedures are to address, at a minimum, a laboratory\xe2\x80\x99s\n            quality assurance program, organization and management, personnel\n            qualifications, facilities, evidence control, validation of methods and\n            procedures, analytical procedures, calibration and maintenance of\n            instruments and equipment, proficiency testing of analysts, corrective\n            action for discrepancies and errors, review of case files, reports,\n            safety, and previous audits. The QAS require that internal and\n            external reviews be performed by personnel who have successfully\n            completed the FBI\xe2\x80\x99s training course for conducting such reviews.\n\n       12\n            The QAS require that laboratories undergo annual audits. Every other year, the\nQAS requires that the audit be performed by an external agency that performs DNA\nidentification analysis and is independent of the laboratory being reviewed. These audits\nare not required by the QAS to be performed in accordance with the Government Auditing\nStandards (GAS) and are not performed by the Department of Justice Office of the\nInspector General. Therefore, we will refer to the QAS audits as reviews (either an internal\nlaboratory review or an external laboratory review, as applicable) to avoid confusion with\nour audits that are conducted in accordance with GAS.\n\n\n\n                                           - 15 -\n\x0c             As permitted by GAS 7.42 (2007 revision), we generally relied on\n             the results of the Laboratory\xe2\x80\x99s external laboratory reviews to\n             determine if the Laboratory complied with the QAS. 13 In order to\n             rely on the work of non-auditors, GAS requires that we perform\n             procedures to obtain sufficient evidence that the work can be relied\n             upon. Therefore, we: (1) obtained evidence concerning the\n             qualifications and independence of the individuals who conducted\n             the review and (2) determined that the scope, quality, and timing\n             of the audit work performed was adequate for reliance in the\n             context of the current audit objectives by reviewing the evaluation\n             procedure guide and resultant findings to understand the methods\n             and significant assumptions used by the individuals conducting the\n             reviews. Based on this work, we determined that we could rely on\n             the results of the Laboratory\xe2\x80\x99s external laboratory review.\n\n        \xe2\x80\xa2    Interviewed Laboratory officials to identify management controls,\n             Laboratory operational policies and procedures, Laboratory\n             certifications or accreditations, and analytical information related to\n             DNA profiles.\n\n        \xe2\x80\xa2    Toured the Laboratory to observe facility security measures as well as\n             the procedures and controls related to the receipt, processing,\n             analyzing, and storage of forensic evidence and convicted offender\n             DNA samples.\n\n        \xe2\x80\xa2    Reviewed the Laboratory\xe2\x80\x99s written policies and procedures related to\n             conducting internal reviews, resolving review findings, expunging\n             DNA profiles from NDIS, and resolving matches among DNA profiles\n             in NDIS.\n\n        \xe2\x80\xa2    Reviewed supporting documentation for 10 of 861 NDIS matches to\n             determine whether they were resolved in a timely manner. The\n             Laboratory provided the universe of 861 NDIS matches as of\n             October 7, 2010. The sample was judgmentally selected to include\n             both case-to-case and case-to-offender matches. This non-statistical\n             sample does not allow projection of the test results to all matches.\n\n\n        13\n            We also considered the results of the Laboratory\xe2\x80\x99s internal laboratory review, but\ncould not rely on it because it was not performed by personnel independent of the\nLaboratory. Further, as noted in Appendix II, we performed audit testing to verify\nLaboratory compliance with specific Quality Assurance Standards that have a substantial\neffect on the integrity of the DNA profiles uploaded to NDIS.\n\n\n\n                                            - 16 -\n\x0c     \xe2\x80\xa2   Reviewed supporting documentation to determine whether the\n         Laboratory provided adequate vendor oversight.\n\n     \xe2\x80\xa2   Reviewed the case files for selected forensic DNA profiles to\n         determine if the profiles were developed in accordance with the\n         Forensic QAS and were complete, accurate, and allowable for\n         inclusion in NDIS.\n\n         We were unable to obtain the forensic profile information directly\n         from NDIS because of the large number of profiles involved and\n         because FBI management controls at the NDIS level prohibit the\n         dissemination of information in an electronic format. Therefore,\n         working in conjunction with the contractor used by the FBI to\n         maintain NDIS and the CODIS software, the Laboratory provided us\n         with an electronic file identifying the 4,510 STR forensic profiles the\n         Laboratory had uploaded to NDIS as of September 22, 2010. We\n         verified that the total number of the Laboratory\xe2\x80\x99s profiles per the\n         NDIS Custodian agreed with the number of profiles we received from\n         the Laboratory. Because the total numbers agreed, we considered\n         this universe of profiles to be representative of the Laboratory\xe2\x80\x99s\n         profiles contained in NDIS. We limited our review to a sample of\n         100 profiles. This sample size was determined judgmentally because\n         preliminary audit work determined that risk was not unacceptably\n         high.\n\n     \xe2\x80\xa2   Using the judgmentally determined sample size, we randomly\n         selected a representative sample of labels associated with specific\n         profiles in our universe to reduce the effect of any patterns in the list\n         of profiles provided to us. However, because the sample size was\n         judgmentally determined, the results obtained from testing this\n         limited sample of profiles may not be projected to the universe of\n         profiles from which the sample was selected.\n\n      The objectives of our audit concerned the Laboratory's compliance with\nrequired standards and the related internal controls. Accordingly, we did not\nattach a separate statement on compliance with laws and regulations or a\nstatement on internal controls to this report. See Appendix II for detailed\ninformation on our audit criteria.\n\n\n\n\n                                      - 17 -\n\x0c                                                                APPENDIX II\n\n                             AUDIT CRITERIA\n\n\n      In conducting our audit, we considered the NDIS participation\nrequirements and the Quality Assurance Standards (QAS). However, we did\nnot test for compliance with elements that were not applicable to the\nLaboratory. In addition, we established standards to test the completeness\nand accuracy of DNA profiles as well as the timely notification of DNA profile\nmatches to law enforcement.\n\nNDIS Participation Requirements\n\n       The NDIS participation requirements, which consist of the\nMemorandum of Understanding (MOU) and the NDIS operational procedures,\nestablish the responsibilities and obligations of laboratories that participate\nin NDIS. The MOU requires that NDIS participants comply with federal\nlegislation and the QAS, as well as NDIS-specific requirements\naccompanying the MOU in the form of appendices. We focused our audit on\nspecific sections of the following NDIS operational procedures.\n\n      \xe2\x80\xa2   DNA Data Acceptance Standards\n      \xe2\x80\xa2   DNA Data Accepted at NDIS\n      \xe2\x80\xa2   QAS Audits\n      \xe2\x80\xa2   NDIS DNA Auto searches\n      \xe2\x80\xa2   Confirm an Interstate Candidate Match\n      \xe2\x80\xa2   General Responsibilities\n      \xe2\x80\xa2   Initiate and Maintain a Laboratory\xe2\x80\x99s Participation in NDIS\n      \xe2\x80\xa2   Security Requirements\n      \xe2\x80\xa2   CODIS Users\n      \xe2\x80\xa2   CODIS Administrator Responsibilities\n      \xe2\x80\xa2   Access to, and Disclosure of, DNA Records and Samples\n      \xe2\x80\xa2   Upload of DNA Records\n      \xe2\x80\xa2   Expunge a DNA Record\n\nQuality Assurance Standards\n\n      The FBI issued two sets of Quality Assurance Standards QAS: QAS for\nForensic DNA Testing Laboratories, effective July 1, 2009 (Forensic QAS);\nand QAS for DNA Databasing Laboratories, effective July 1, 2009 (Offender\nQAS). The Forensic QAS and the Offender QAS describe the quality\nassurance requirements that the Laboratory should follow to ensure the\nquality and integrity of the data it produces.\n\n\n\n\n                                     - 18 -\n\x0c       For our audit, we generally relied on the reported results of the\nLaboratory\xe2\x80\x99s most recent annual external review to determine if the\nLaboratory was in compliance with the QAS. Additionally, we performed\naudit work to verify that the Laboratory was in compliance with the QAS\nlisted below because they have a substantial effect on the integrity of the\nDNA profiles uploaded to NDIS.\n\n      \xe2\x80\xa2   Facilities (Forensic QAS and Offender QAS 6.1): The laboratory shall\n          have a facility that is designed to ensure the integrity of the\n          analyses and the evidence.\n\n      \xe2\x80\xa2   Evidence Control (Forensic QAS 7.1): The laboratory shall have and\n          follow a documented evidence control system to ensure the integrity\n          of physical evidence. Where possible, the laboratory shall retain or\n          return a portion of the evidence sample or extract.\n\n      \xe2\x80\xa2   Sample Control (Offender QAS 7.1): The laboratory shall have and\n          follow a documented sample inventory control system to ensure the\n          integrity of database and known samples.\n\n      \xe2\x80\xa2   Analytical Procedures (Forensic QAS and Offender QAS 9.5): The\n          laboratory shall monitor the analytical procedures using [appropriate]\n          controls and standards.\n\n      \xe2\x80\xa2   Review (Forensic QAS 12.1): The laboratory shall conduct\n          administrative and technical reviews of all case files and reports to\n          ensure conclusions and supporting data are reasonable and within\n          the constraints of scientific knowledge.\n\n          (Offender QAS Standard 12.1): The laboratory shall have and follow\n          written procedures for reviewing DNA records and DNA database\n          information, including the resolution of database matches.\n\n      \xe2\x80\xa2   Reviews (Forensic QAS and Offender QAS 15.1 and 15.2): The\n          laboratory shall be audited annually in accordance with the QAS. The\n          annual audits shall occur every calendar year and shall be at least\n          6 months and no more than 18 months apart.\n          At least once every 2 years, an external audit shall be conducted by\n          an audit team comprised of qualified auditors from a second\n          agency(ies) and having at least one team member who is or has\n          been previously qualified in the laboratory\xe2\x80\x99s current DNA\n          technologies and platform.\n\n\n\n\n                                      - 19 -\n\x0c     \xe2\x80\xa2   Outsourcing (Forensic QAS and Offender QAS Standard 17.1): A\n         vendor laboratory performing forensic and database DNA analysis\n         shall comply with these Standards and the accreditation requirements\n         of federal law.\n\n         Forensic QAS 17.4: An NDIS participating laboratory shall have and\n         follow a procedure to verify the integrity of the DNA data received\n         through the performance of the technical review of DNA data from a\n         vendor laboratory.\n\n         Offender QAS Standard 17.4: An NDIS participating laboratory shall\n         have, follow, and document appropriate quality assurance procedures\n         to verify the integrity of the data received from the vendor\n         laboratory.\n\nOffice of the Inspector General Standards\n\n       We established standards to test the completeness and accuracy of\nDNA profiles as well as the timely notification of law enforcement when DNA\nprofile matches occur in NDIS. Our standards are listed below.\n\n     \xe2\x80\xa2   Completeness of DNA Profiles: A profile must include each value\n         returned at each locus for which the analyst obtained results. Our\n         rationale for this standard is that the probability of a false match\n         among DNA profiles is reduced as the number of loci included in a\n         profile increases. A false match would require the unnecessary use\n         of laboratory resources to refute the match.\n\n     \xe2\x80\xa2   Accuracy of DNA Profiles: The values at each locus of a profile\n         must match those identified during analysis. Our rationale for this\n         standard is that inaccurate profiles may: (1) preclude DNA profiles\n         from being matched and, therefore, the potential to link convicted\n         offenders to a crime or to link previously unrelated crimes to each\n         other may be lost; or (2) result in a false match that would require\n         the unnecessary use of laboratory resources to refute the match.\n\n     \xe2\x80\xa2   Timely Notification of Law Enforcement When DNA Profile Matches\n         Occur in NDIS: Laboratories should notify law enforcement\n         personnel of NDIS matches within 2 weeks of the match\n         confirmation date, unless there are extenuating circumstances. Our\n         rationale for this standard is that untimely notification of law\n         enforcement personnel may result in the suspected perpetrator\n         committing additional, and possibly more egregious, crimes if the\n         individual is not deceased or already incarcerated for the\n         commission of other crimes.\n\n\n                                    - 20 -\n\x0c                                                              APPENDIX III\n\n                         AUDITEE RESPONSE\n\n\n      We provided a copy of the draft report to the Ohio Bureau of Criminal\nIdentification and Investigation. However, during the exit conference,\nLaboratory officials indicated that they would not be providing a response to\nthe report.\n\n\n\n\n                                    - 21 -\n\x0c                                                                                     APPENDIX IV\n\n        FEDERAL BUREAU OF INVESTIGATION RESPONSE\n\n                                                             U.S. Department of Justice\n\n                                                             Federal Bureau of Investigation\n\n\n\n                                                             Washington, D.C. 20535-0001\n\n                                                             September 28, 2011\nCarol S. Taraszka\nRegional Audit Manager\nChicago Regional Audit Office\nOffice of the Inspector General\n500 West Madison Street, Suite 3510A\nChicago, IL 60661-2590\n\n\nDear Ms. Taraszka:\n\n               Your memorandum to Director Mueller forwarding the draft audit report for the\nOhio Bureau of Criminal Identification and Investigation, London, Ohio (Laboratory), has been\nreferred to me for response.\n\n                Your draft report contained no recommendations relating to the Laboratory's\ncompliance with the FBI\xe2\x80\x99s Memorandum of Understanding and Quality Assurance Standards\nDNA Testing Laboratories and DNA Databasing Laboratories. The CODIS Unit reviewed the\ndraft report and since it appears that the Laboratory is in compliance with NDIS participation\nrequirements, the CODIS Unit has no significant comments to provide about the draft report.\n\n                Thank you for sharing the draft audit report with us. If you have any questions,\nplease feel free to contact Jennifer Luttman, Chief of the CODIS Unit, at (703) 632-8315.\n\n                                                      Sincerely,\n\n                                                             //s//\n\n                                                      Alice R. Isenberg, Ph.D\n                                                      Section Chief\n                                                      Biometrics Analysis Section\n                                                      FBI Laboratory\n\n\n\n\n                                             - 22 -\n\x0c"